home

nsq9870.tmp

Somoto Ltd

The file nsq9870.tmp by Somoto has been detected as a potentially unwanted program by 28 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. Includes the Somoto BetterInstaller, an adware installer that will bundle offers for additional third party applications, mostly adware toolbars, with legitimate softare and may be installed without adequate user consent. The file has been seen being downloaded from sub.spirlymo.com.
Publisher:
Somoto Ltd  (signed and verified)

Version:
1.0.0.1

MD5:
f1b24b61ee6a6725c7840787fd69f511

SHA-1:
4b5803c8f173a5388c867303607ba2efe563f60e

SHA-256:
f695d22e62f785a8da6fa5c45d8428aaf37fa9c6a8b7d75631aa5469a76fecab

Scanner detections:
28 / 68

Status:
Potentially unwanted

Explanation:
Uses the Somoto 'BetterInstaller' to bundle additional (unwanted) software during install without adequate consent.

Analysis date:
4/25/2024 1:05:24 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.Somoto.AG
435

AhnLab V3 Security
PUP/Win32.Somoto
2015.11.23

Avira AntiVirus
PUA/Somoto.Gen2
8.3.2.4

Arcabit
Application.Bundler.Somoto.AG
1.0.0.597

AVG
AdLoad.S
2016.0.2913

Baidu Antivirus
Adware.Win32.Somoto
4.0.3.151126

Bitdefender
Application.Bundler.Somoto.AG
1.0.20.1650

Bkav FE
W32.HfsAdware
1.3.0.7383

Clam AntiVirus
Win.Adware.Somoto-2
0.98/21511

Comodo Security
Application.Win32.Somoto.GH
23643

Dr.Web
Adware.Somoto.139
9.0.1.0330

ESET NOD32
Win32/Somoto.G potentially unwanted
9.12608

F-Prot
W32/Trojan2.OUSK
v6.4.7.1.166

F-Secure
Application.Bundler.Somoto
11.2015-26-11_5

IKARUS anti.virus
PUA.Somoto
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.212.17933

Kaspersky
not-a-virus:Downloader.Win32.Somato
14.0.0.1061

Malwarebytes
PUP.Optional.Somoto
v2015.11.26.09

McAfee
Artemis!F1B24B61EE6A
5600.6569

MicroWorld eScan
Application.Bundler.Somoto.AG
16.0.0.990

NANO AntiVirus
Riskware.Nsis.Adware.dshbbp
0.30.26.4751

Qihoo 360 Security
HEUR/QVM42.1.Malware.Gen
1.0.0.1077

Reason Heuristics
PUP.Somoto.Installer (M)
15.11.26.21

Sophos
Somoto BetterInstaller (PUA)
4.98

SUPERAntiSpyware
PUP.Somoto/Variant
9483

Trend Micro House Call
ADW_TOMOS.SMN
7.2.330

Trend Micro
ADW_TOMOS.SMN
10.465.26

VIPRE Antivirus
Trojan.Win32.Generic
45372

File size:
420.8 KB (430,872 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\nsq9870.tmp

Digital Signature
Signed by:
Somoto Ltd

Authority:
Symantec Corporation

Valid from:
6/24/2015 2:00:00 AM

Valid to:
8/23/2016 1:59:59 AM

Subject:
CN=Somoto Ltd, O=Somoto Ltd, L=Tel Aviv, S=Israel, C=IL

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
02FED381427052F6E66365A4627FB0ED

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:46 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:usxFmdkuv1H4miMRTZwh+5nTrWX+FNl5pI9uFkbn3PlJhfa0wSR2nf+6:zF7ql4mLR5nXWX2tGEFkbn3PlJhlofR

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9406

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file nsq9870.tmp has been seen being distributed by the following URL.

http://sub.spirlymo.com/installers/bi_downloader/.../setup.exe

Remove nsq9870.tmp - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.